From 50cba61c7d78edaadf41490492e1b4153ee7693a Mon Sep 17 00:00:00 2001 From: chrchr-github Date: Tue, 26 Mar 2024 02:17:31 +0100 Subject: [PATCH 1/2] Fix #12493 #12541 fuzzing crashes --- lib/templatesimplifier.cpp | 3 ++- lib/tokenize.cpp | 2 ++ .../fuzz-crash/crash-3997cb1cad0af26035d36ca1a01ece07ca3fd114 | 1 + .../fuzz-crash/crash-9a91d3da4e19336af500b94b2405831ed0fc1585 | 1 + test/testrunner.vcxproj | 2 +- 5 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 test/cli/fuzz-crash/crash-3997cb1cad0af26035d36ca1a01ece07ca3fd114 create mode 100644 test/cli/fuzz-crash/crash-9a91d3da4e19336af500b94b2405831ed0fc1585 diff --git a/lib/templatesimplifier.cpp b/lib/templatesimplifier.cpp index 943779b7b7f..fb26aae403d 100644 --- a/lib/templatesimplifier.cpp +++ b/lib/templatesimplifier.cpp @@ -1508,7 +1508,8 @@ bool TemplateSimplifier::getTemplateNamePositionTemplateClass(const Token *tok, int TemplateSimplifier::getTemplateNamePosition(const Token *tok) { - assert(tok && tok->str() == ">"); + if (!tok || tok->str() != ">") + syntaxError(tok); auto it = mTemplateNamePos.find(tok); if (!mSettings.debugtemplate && it != mTemplateNamePos.end()) { diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp index 2d85f117a17..f6cd6eb3750 100644 --- a/lib/tokenize.cpp +++ b/lib/tokenize.cpp @@ -8641,6 +8641,8 @@ void Tokenizer::findGarbageCode() const syntaxError(tok); if (Token::Match(tok, "==|!=|<=|>= %comp%") && tok->strAt(-1) != "operator") syntaxError(tok, tok->str() + " " + tok->strAt(1)); + if (Token::Match(tok, "& %op%|%cop%")) + syntaxError(tok); if (Token::simpleMatch(tok, ":: ::")) syntaxError(tok); } diff --git a/test/cli/fuzz-crash/crash-3997cb1cad0af26035d36ca1a01ece07ca3fd114 b/test/cli/fuzz-crash/crash-3997cb1cad0af26035d36ca1a01ece07ca3fd114 new file mode 100644 index 00000000000..fe21ddcbfa4 --- /dev/null +++ b/test/cli/fuzz-crash/crash-3997cb1cad0af26035d36ca1a01ece07ca3fd114 @@ -0,0 +1 @@ +b=1;t o(){& &&&} \ No newline at end of file diff --git a/test/cli/fuzz-crash/crash-9a91d3da4e19336af500b94b2405831ed0fc1585 b/test/cli/fuzz-crash/crash-9a91d3da4e19336af500b94b2405831ed0fc1585 new file mode 100644 index 00000000000..fac1475e560 --- /dev/null +++ b/test/cli/fuzz-crash/crash-9a91d3da4e19336af500b94b2405831ed0fc1585 @@ -0,0 +1 @@ +template<>>a{} \ No newline at end of file diff --git a/test/testrunner.vcxproj b/test/testrunner.vcxproj index 06cbbd96667..4dfe4efb3d9 100755 --- a/test/testrunner.vcxproj +++ b/test/testrunner.vcxproj @@ -137,7 +137,7 @@ Application Unicode false - v142 + v143 Application From 3a164210c02855c0edf4b18847df7b78d36e760b Mon Sep 17 00:00:00 2001 From: chrchr-github Date: Tue, 26 Mar 2024 12:32:32 +0100 Subject: [PATCH 2/2] Undo --- lib/tokenize.cpp | 2 +- test/testrunner.vcxproj | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp index 5815eebce63..9f2ae419ed4 100644 --- a/lib/tokenize.cpp +++ b/lib/tokenize.cpp @@ -8644,7 +8644,7 @@ void Tokenizer::findGarbageCode() const syntaxError(tok, tok->str() + " " + tok->strAt(1)); if (Token::simpleMatch(tok, "::") && (!Token::Match(tok->next(), "%name%|*|~") || (tok->next()->isKeyword() && tok->strAt(1) != "operator"))) syntaxError(tok); - if (Token::Match(tok, "& %op%|%cop%")) + if (Token::Match(tok, "& %comp%|&&|%oror%|&|%or%") && tok->strAt(1) != ">") syntaxError(tok); } diff --git a/test/testrunner.vcxproj b/test/testrunner.vcxproj index 4dfe4efb3d9..06cbbd96667 100755 --- a/test/testrunner.vcxproj +++ b/test/testrunner.vcxproj @@ -137,7 +137,7 @@ Application Unicode false - v143 + v142 Application